Rudder 3.1 “Frigate” release

Rudder 3.1 “Frigate” was released 9th July 2015.

 

The main changes are:

  • Improvements on security: inventories are now signed and sent over HTTPS, a basic SELinux policy is now provided
  • New features in the API: compliance, rule and group categories, complex queries on nodes
  • Some UI improvements: compliance of each Node in Nodes list, a new filter box in Directive/Group tree in Rule details
  • Rule and directive execution sorting is now possible!
  • New commands in rudder cli
  • A new init script to rule them all

 

Security

The main focus of Rudder 3.1 is security.

Signed inventories

Inventories sent from 3.1 agents are signed by default using their private key. On 3.1 servers, the public key will be displayed is the pending Nodes list, and once accepted, all inventories updates have to be signed with the same key to be accepted by the server. An icon in Node details will indicate the status of inventory signing, next to “Display Node Key”.

  • A black icon indicates the inventory is not signed (expected behavior with pre-3.1 agents)
  • A green icon indicates that only signed inventories will be accepted

key

Inventories sent over HTTPS

When using Rudder 3.1 on your policy servers, HTTPS is used to send inventories from nodes to policy server. This implies that port 80 is not needed anymore, but port 443 must now be opened.
 

Reporting on UDP

The other big network change is the ability to use UDP to send reports to servers (only TCP was used before 3.1), to avoid breaking things in case of networking problems. UDP is even the default for new installations. To change the protocol used for reporting, go to Administration -> Settings.

udp
 

UI improvements

Compliance in Nodes list

The compliance of each node is now displayed in nodes list (and node search result) to easily identify problems.

compliance

A filter box in Directive/Group tree in Rule configuration

When the groups and directives number increases, it can be difficult to navigate to a particular one. There is now a search bar to get instant access to the group or directive you’re looking for.

filer_directive

filter_group
 

New features in Rudder API

You can now:

  • Get compliance
  • Manage rule and group categories
  • Make complex queries on nodes

The documentation is available at https://www.rudder-project.org/rudder-api-doc/.
 

Rules and directives ordering

Since 3.1.1, it is possible to order rules and directives execution. How? Use the name of the directive as order. That means faster convergence for complex configuration with inter-dependencies. First, the rules are ordered alphabetically, and within each rule, directives are also sorted alphabetically. The best way use that feature is to add a numeric prefix at the beginning of the rules or directives names (like “002. Install packages”).
 

New init script

We added a new init script, simple called rudder, deployed with rudder-agent. It is now the only script set to start at boot, and will take care of starting other services if needed.

For example, on a Rudder server:

init
 

New commands

rudder agent check

Check is rudder agent is working properly (configuration, processes, promises).

rudder agent info

Displays a summary of agent information, useful to debug problems:

info

rudder remote run <nodeId>

Triggers the execution of a remote agent from its policy server. You can use it to deploy quickly a policy update on your nodes, without having to wait for the agent run.
 

New supported OS

Rudder agent now runs on SLES 12.
 

Other changes

  • The underlying CFEngine is updated to the latest available version, 3.6.5, with a bunch of bugfixes.
  • Users running Rudder server on Ubuntu 14.04 experienced recurrent problems with reports logging. This is caused by a bug is the rsyslog version distributed in Ubuntu 14.04. We now provide a fixed rsyslog package in our repositories, and upgrading to Rudder 3.1.1 should install the package as a dependency.
  • A lot of other bugfixes, all are listed in the changelog

 

Versioning and Upgrades

Upgrade

Rudder 3.1 only supports direct upgrade from 2.11 and 3.0. If you are running 2.10 or older, you have to upgrade to 2.11 or 3.0 before upgrading to 3.1. Remember that, as usual, you have to upgrade the techniques manually to benefit from improvement and bugfixes in techniques.

“latest” versions

Rudder 3.0 is now an old-latest version, and will thus be maintained until 9th October 2015. If you are currently running 3.0 you should plan to upgrade to 3.1 before this date. Rudder 3.1 will be maintained at least 3 months after the next major Rudder release.

“ESR” versions

Since Rudder 2.11 was marked as ESR, Rudder 2.10 support will end the 5th December 2015. If you are currently running 2.10 you should plan to upgrade to 2.11, the last ESR, before this date. Rudder 2.11 will be maintained at least 6 months after the next ESR.